Technology Services • Published 7/18/2018 Updates to Louisiana's Database Breach Notification Law
SHARE THIS

 

A bill amending Louisiana’s Database Breach Notification Law has passed and will take effect August 1, 2018 (the updated bill can be found here). While the substance of the bill remains intact, several key updates have been made that cover all aspects of the original bill.

The first modification is an expansion of covered personally identifiable information (PII) within the law. The amended list of PII includes:

  • Social Security number
  • Driver license number
  • State ID card number (new)
  • Passport number (new)
  • Biometric data (new)

While the new additions are fairly straightforward, biometric data has an expanded definition within the legislation. Taken directly from the bill, biometric data means “data generated by automatic measurements of an individual's biological characteristics, such as fingerprints, voice print, eye retina or iris, or other unique biological characteristic that is used by the owner or licensee to uniquely authenticate an individual's identity when the individual accesses a system or account”.

Key language has also been added to require an entity to “implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.” While a straightforward sentence, there are far-reaching implications for organizations that cannot demonstrate that appropriate cybersecurity safeguards exist and are functioning whether a security incident occurs or not. A requirement has also been added that speaks to the destruction of data when no longer retained by the organization.

One small but impactful change is the introduction of a maximum time for notifications required under the law. Previously, there was no set window for notification, only a requirement to make the notifications as expediently as possible. As updated, there is a 60-day notification window (from the discovery of the breach) and a requirement to notify the Attorney General, within the 60-day window and in writing, if any delays are determined to be necessary to determine the scope of the breach, limit the impact of the breach, or restore system integrity.

Certain thresholds have also been lowered within the law.  The substitute notification section was updated to allow substitute notification steps if the cost to notify would exceed $100,000 (lowered from $250,000) or if the total population to be notified exceeds 100,000 (lowered from 500,000).

The last significant update, and perhaps the most important from an organization’s perspective, is the inclusion of language to remove the notification requirement if, after suitable review and investigation, an organization has determined that there is “no reasonable likelihood of harm.” Although positive, there are supplementary requirements for documentation and record retention that may be requested by the Attorney General. As such, this additional language may prompt changes in the incident response plans of organizations whether or not data exposure has occurred.

As updated, companies that hold PII of Louisiana residents will have to ensure that the cybersecurity efforts to protect said PII meet reasonable standards and that incident response plans include the necessary procedures to document and retain information pursuant to the updated law. The amendment demonstrates the fluid nature of the cybersecurity landscape and also highlights the importance of a strong cybersecurity risk management program.

P&N’s Technology Services Group knows cybersecurity and is here to empower you with expert insight. We help clients across Louisiana address cybersecurity needs, IT policy and more from our offices in Baton Rouge, New Orleans and Lafayette. Contact our team if you have questions.

Scroll to Top